Today we gonna to explain a particulary scenario in which the main idea is allow only specific ip address to reach a web site exposed using cloudfront.
this is the architecture
Before to start we need to explain differents resources inside aws
Simple Storage Service or S3 (buckets)
Is the most use service for object storage, you can save here any kind of file.
Cloudfront
Is the CDN or Content Delivery Network in AWS, this allows to that users around the globe use your web applications or apis in a faster and reliable way because the concept of CDN is to offer cache in the most near point of presence of aws, for example assume that you have clients in Europe and your application is hosted in Virginia, when you use cloudfront you application take less time to load at the final user than if you haven't this services.
Cloudfront functions
Is an improve options to allow deploy differents features to our sites, for example if you want to fix vulnerabilities related to HSTS in your sites you can use specific function to add this headers to our sites, or for example like this case if you want to allow only few ip address to reach your site and block the rest of the internet you can use specific functions to this.
WAF
Web Application Firewall native in AWS is the layer 7 security feature to protect our api web apps and others, this works with ALB, API gateway, Cloudfront and others resources inside AWS.
The common architecture for deploying statics sites in aws is using the architecture S3 bucket to public the site and integrate that with Cloudfront
To secure this architecture is important to never expose the bucket s3 to internet directly and that is the reason of using cloudfront.
You can configure this at origin option in cloudfront and copy the policy to the bucket s3 that has your web site
copy the policy OAC to the s3 bucket
In the s3 bucket you have this enable for S3 static website hosting
when you try to reach the url show a error message this is because the OAC configuration.
another security configuration is this one "Block public access" this is a must.
so once you have your application working using cloudfront + S3 now we explain the scenario.
Some X company wants to only allow a specific ip from a VPN services to reach the site exposed in cloudfront.
for doing this you can use WAF or cloudfront functions
In waf you can configure custom rules one for allow the specific ip address and then at default action you can put as block.
the expected behavior is that when you use the vpn the site loads correctly and without show a 403 error.
the whitelist rule is this
the default block is here
when I did the test show error whitout the vpn
and with the vpn works fine the site
be aware if you have some custom error pages at the cloudfront configuration because this can cause issues
Finally I check in waf console and see some blocks and some allow traffic
the other option is using cloudfronts functions
you need to create a function and associate with the cloudfront distribution
this is the function code
function handler(event) {
var request = event.request;
var clientIP = event.viewer.ip;
// Tu IP de VPN (puedes agregar múltiples)
var allowedIPs = [
'45.45.45.45'
];
// Verificar si la IP está permitida
if (allowedIPs.indexOf(clientIP) === -1) {
// IP no permitida - retornar 403
return {
statusCode: 403,
statusDescription: 'Forbidden',
headers: {
'content-type': { value: 'text/html; charset=utf-8' },
'cache-control': { value: 'no-store' }
},
body: {
encoding: 'text',
data: '<html><head><title>Access Denied</title></head><body><h1>403 - Access Denied</h1><p>VPN connection required to access this resource.</p></body></html>'
}
};
}
// IP permitida - continuar normalmente
return request;
}
then you need to publish your function and associated with the distribution
finally do some test and works similar to aws WAF.
without vpn
with vpn
I hope that this help
to the next time.
Top comments (0)